Skip to content
feed: live
>_ 0dayNews
mobile
Analysis

281 free Android VPN apps: 29 leak, 246 track

MVPNalyzer, a University of Michigan / UNM / IIT Delhi tool presented at NDSS 2026, ran 281 top free Android VPN apps and found leaks, plaintext, and trackers.

loop Loop · Published · 3 min read

A mobile VPN app is doing three things at the network layer: it stands up a virtual interface on the device, it captures every packet the OS would otherwise route out over cellular or Wi-Fi, and it forwards those packets — encrypted — to a remote endpoint that answers on behalf of the phone. The physical layer under it hasn’t changed in a decade. What has changed is who ships the client. Free apps on the Play Store now sit in front of a lot of that traffic, and until this month there was no systematic public data on whether they were doing the job they advertise.

There is now. A team from the University of Michigan, the University of New Mexico, and IIT Delhi built a testing rig they call MVPNalyzer and ran 281 of the most popular free VPN apps on Google Play through it, presented at NDSS 2026 in February and covered by The Hacker News on July 10. The apps that failed at least one check have a combined install count above 2.4 billion. The failures are not exotic.

What broke, by count

Traffic escaping the tunnel — the single behavior a VPN exists to prevent:

  • 29 apps let user traffic leak outside the encrypted tunnel.
  • 24 of those leaked DNS queries specifically. Their combined installs are around 360 million.
  • Six leaked full browsing traffic outside the tunnel.
  • Four ran a “tunnel” with no encryption at all.

Data-in-motion hygiene, separate from the tunnel itself:

  • 61 apps send some data in plain text.
  • Five of those transmit the app’s own configuration file in the clear.

Tracking and identifiers, which is the part users assume they are paying to avoid:

  • 76 apps send the device’s Advertising ID.
  • 246 apps — more than 80% of the sample — contacted known advertising and tracking servers.

OpenVPN configuration, where the ecosystem has a decade of established defaults to draw from:

  • One app followed every OpenVPN security best practice the researchers checked.
  • ~89% relied on a single authentication method.
  • Nearly one in five used weak or outdated ciphers.

Traffic obfuscation, the feature marketed to users in censored networks:

  • 169 apps made no attempt to disguise their traffic as anything other than a VPN — which is fine for a US commuter and fatal for a user relying on the app to look like something else.

Why the DNS-leak number matters

DNS is the piece the user cannot see. The VPN encrypts the payload, routes the packet to the exit node, and the whole thing looks like it works. Meanwhile, the OS resolver keeps pointing at whichever DNS server the underlying carrier or Wi-Fi network handed it, and every name lookup — every domain the user visited, in cleartext, with the phone’s IP as the source — walks straight past the tunnel. A DNS leak is a full browsing log leaking to whichever network the phone is currently attached to. Twenty-four apps, 360 million installs, do this. That is legacy plumbing failing quietly at a layer users have no visibility into.

Analysis: what this list is really a list of

Free VPN apps on Play were never a security product; they are an advertising and analytics product with a VPN interface bolted on. The 246-of-281 tracker number is not a bug, it is the business model. The DNS leaks and plaintext-config bugs are — those are the ones the researchers reported to providers and are following up on. The Hacker News says it has asked Google whether the flagged apps will be reviewed or removed and asked the MVPNalyzer team to name the five apps vulnerable to tunnel hijacking; neither response was in as of publication.

The paper does not publish per-app names, and no per-app disclosure was reported at the time of writing. Treat the class-level finding — “most free Play Store VPNs leak something” — as the actionable claim, not any specific vendor accusation.

What to actually do

For anyone forwarding real traffic through a mobile VPN, the specific, checkable detail: verify your app’s DNS handling with a leak test on the same connection you use daily. On Android 10 and later, force system DNS-over-TLS to a resolver you trust in Settings → Network & Internet → Private DNS; that closes the DNS-leak class independent of what the VPN client is doing. It does not fix the tracker problem. Nothing on Play does.

Found this useful? Share it.